India Adopts New Privacy Rules

Organizations doing business in India may be forced to re-evaluate how they handle personal information.

Amid worldwide lobbying by IT companies to promote the harmonization of data protection laws for the sake of cloud computing, India last month quietly issued new privacy rules that impose significant limitations on how businesses can handle personal information.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, or "Privacy Rules," were issued in April to implement India's 2008 IT Security Act amendment.

Because the rules implement an existing law, they did not undergo the prolonged period of public comment and industry input that typically precedes the passage of a law. Nonetheless, they "have all the force of a full-blow data privacy law," said Miriam Wugmeister, head of the global privacy practice at law firm Morrison & Foerster, in a phone interview.

The degree to which companies will comply with these rules remains unclear, as does the extent to which Indian authorities will enforce them. But Wugmeister believes the new privacy regime has the potential to dramatically affect the business landscape for IT companies in India and for overseas companies that contract IT services with Indian companies.

The Privacy Rules oblige organizations to notify individuals when their personal information is collected via letter, fax, or email. They require covered organizations to make a privacy policy available, to take steps to secure personal information, and to offer a dispute resolution process related to the collection and use of personal information.

"The law applies to all companies in India getting any information from anywhere," said Wugmeister. "On the face of it, it doesn't exempt the service provider."

What this means is that any personal collected in India, or outside of India and transferred into the country, is governed by these rules. As a consequence, Wugmeister suggests that outsourcing providers in India may be required to notify every person seeking assistance at a call center about their data handling practices and to obtain consent to handle personal data. Outsourcing providers, she says, may also be forced to make sure their customers' data handling practices match the requirements laid down in the new rules.

India's new Privacy Rules arrive as large IT companies like Microsoft are calling for more consistent international privacy and data protection laws, so cloud computing companies can transfer data across borders without legal uncertainty.

"[W]ith the migration to the cloud, it is increasingly important that data, in fact, be able to move across borders, and even around the world, albeit with real and effectively legal safeguards," argued Microsoft's general counsel Brad Smith in a speech delivered to the French National Assembly in January.

India's new rules may reflect a desire by lawmakers to court cloud computing providers, particularly those in the E.U., where data protection laws are stringent. But winning business from the E.U. may come at a cost. U.S companies may not want to adhere to India's relatively strong standards and could seek outsourcing partners in other countries.

Given the importance of IT to India, however, it seems likely that overly burdensome regulations will be relaxed, go unenforced, or be superseded by subsequent legislation.

There's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity ­products, and 69 percent cite Google Apps' good or excellent ­mobility. But progress could still stall: 59 percent of nonusers ­distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.